I have been a Gentoo user for over 10 years and I've asked this question every so often, never to get a solid answer. I would like an easy to use firewall for my gentoo setups. I've tried reading multiple iptables & shorewall configuration guides and non of them make any sense to me. So I'd like to ask again (maybe something has changed in 2014) does there exists any easy to setup, newb friendly Linux firewall software that an idiot like myself can use?

You might want to have a look at firewall-mv from the mv overlay, although one can of course always argue what is "simple". The default rules (especially blocking outgoing traffic) are likely to be too restrictive for you so you must really look at the configuration.

I used guarddog http://www.simonzone.com/software/guarddog/ but it got dropped a few years ago.
I tried ufw and iptables ... and I prefer iptables. So I use iptables, I'm far from an expert and I'm only doing some basic stuff like block in-coming and allow limited users access to limited ports for some egress protection ... but it's good enough for me.

If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool?

If you have been using Gentoo for the last 10 years what have you been using for a firewall configuration tool?

That is the point, for the past 10 years I have used nothing, because I have not found _ANYTHING_ that is easy enough for me to understand. There really need to be something easier than iptabels for linux systems.

It would be nice if someone wrote a generic shorewall config for the gentoo wiki.

The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.
Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking

You can stop searching. There's only iptables. The rest are all frontends to it. That in turn means that at some point, even if you use one of these frontends, you will hit a showstopper that will force you to learn iptables to do something that the frontend at hand can't do._________________Gentoo Handbook | My website

I've used UFW for over three years on a couple of boxes. It's very easy and intuitive to configure, and there are GUI front-ends (I use kcm-ufw).

It used to be a bit of a pain, as it requires your kernel config to include many of the netfilter components (as modules or built-in). The current ebuilds check this and warn you if it's not right. (The same config requirements will apply to any firewall, 'cos as mentioned above they're all backed by iptables.)

"only ip tables" maybe we beef this up then? https://wiki.gentoo.org/wiki/Iptables
"nftable deprecation" the wiki and other pages state that there will be compatibility layers to habituate you into the new format.
"nftables" net-firewall/nftables Linux kernel (3.13+) firewall, NAT and packet mangling tools

how new is your kernel? 3.13.1 is latest stable vanilla sources. there is a 3.13 gentoo source also floating around. maybe we start banging out the nftables wiki with arch wiki guidance. https://wiki.archlinux.org/index.php/Nftables

The problem with this is that it is not really helpful against attackers if you do not know all the tricks hackers use: you get only protection against the tricks which you do know. As an example, as we just had recently, blocking icmp can even allow certain types of new attacks, so it can do more harm than be helpful if you do not understand fully what you are doing.
Blocking ports actually should not be necessary if you let your programs listen to only local ports (which is usually the default, but checking

Code:

netstat -tulpe

won't hurt).

I'm not sure why you think I am making things worse with a firewall. I only allow access to the net for user accounts which need it, one account for email (access via claws-mail) or web-browsing. So programs can only access the net if they were started with my network access group, since I use IceWM that's easy to put in the toolbar etc

### parameter for internet access group name dont use - in names
internet_access_group="my_net_group"
### where this is used with gid-owner option the program should be started with sg to switch group to net access group

"nftable deprecation" the wiki and other pages state that there will be compatibility layers to habituate you into the new format.

One cannot rely on that: Currently "most"(TM) functionality is provided, but it is some sort of emulation mode, and the interface has a rather different syntax. I have not looked at the details yet, but it seems that in nftables some things should "natively" be do differently - the emulation mode (even if it does work, which for some enhanced iptables functionality might be only a limited time, since it appears that the "emulation" of some such features is to call the old iptables code in the kernel) is certainly less optimal than if you setup the bytecode directly.

I didn't say that you make it worse, but it is possible to make it worse if one makes some mistakes. I have currently no time to look at your code and also do not remember the url posted in some recent discussion. You might want to google for "blocking icmp harmful": I remember there were some attacks possible with packets broken up in several parts if these parts are not put together correctly due to wrong blocking. Also, not all spoofing can be detected automatically by the kernel. E.g. if you know that through some interfaces you should only get certain IP ranges you should check for these. To get a safe setup you should know that such spoofing is a possible attack method. Probably there are other such examples which I do not remember in the moment.

So I guess that means their aren't any newb friendly GNU/Linux firewalls

I'm not so sure about that. I agree with Goverp, UFW is about as beginner-friendly as you're going to get. I've been using it for four years or so on a few laptops. My main laptop runs KDE so I use the KConfig Module kcm-ufw, which is a nice GUI front-end. My other laptops run Xfce, so on those I use ufw-frontends, which is also a nice GUI front-end. You can see screenshots of the GUIs on the respective Web sites. The installation of a front-end does not preclude you using the command line instead, if you want.

Example 1:

To access Samba shares on my laptop from a Windows PC, I launched the ufw-frontends GUI and added the rule:

N.B. My router uses 192.168.1.0/24 as the internal IP address range for my home network. Your router may use a different internal address range, so check in your router's User Guide or its Web configuration page and modify your rule accordingly if necessary.

Example 2:

Yesterday I installed KDE Connect on my Android phone and my main laptop running KDE. The KDE Connect developers wrote that ports 1714 to 1764 need to be open for TCP and UDP in order to allow the two devices to communicate. Adding the required firewall rules via the KDE GUI (System Settings > Firewall) was a piece of cake, but I also tried it via the command line to check both approaches: